topic Re: store a password for a script in Operating System - HP-UX

store a password for a script

Geetam — Wed, 13 Sep 2000 12:53:14 GMT

Can anyone suggest a way of storing a password, so it can be used in a script, without breaking 'all security rules'.

The best I can come up with is to create a user with a name which is almost imposible to remember, with an equally hard to memorise password. And store each in a different files with access rights, so they are hard to find/read. Not very secure in my opinion... (the script will give it all away)

Any better suggestions?

Re: store a password for a script

Stefan Farrelly — Wed, 13 Sep 2000 12:58:23 GMT

You could try using the crypt command on these passwords when they are stored in a file, and also use crypt to decrypt them when needed. This way at least they are a bit more secure when stored in a file.

Re: store a password for a script

John Palmer — Wed, 13 Sep 2000 13:07:02 GMT

One technique is to keep the password in a file that is only readable by a particular user (that nobody can log in as) and to use the setuid bit (set-owner-ID-on file-execution - see man chmod) on the script that reads it.

This script would have to be responsible for its own security and would only return the password to one of a set of users or whatever restriction you wanted to employ.

You can also use the 'crypt' command to encrypt the password and use the setuid technique to obtain the encryption key.

I use a combination of both the above techniques for securely obtaining Oracle passwords for use by backup scripts etc.

On the subject of Oracle, never supply the password as a command line argument to any Oracle command as it can be seen in a 'ps' listing. For example instead of:-

sqlplus system/ <
do

sqlplus << EOD
system/

Re: store a password for a script

Kofi ARTHIABAH — Wed, 13 Sep 2000 13:08:24 GMT

Geetam:

It depends on what your script is trying to do. For example, let's say that you want a script that will automate logging onto another machine to execute some commands, you might want to consider using ssh with private/public key combinations with ssh.

The SSH documentation describes how you can setup two hosts to talk without exchanging passwords (only exchanging keys - which are unique to the machine-user combination)

security by obsurity is not very advisable!

Alternatively, you could write a program in c, and compile it with the password somehow embeded... maybe if you give more of an idea of what your program does, you might get more.